6-6-9 Practice Questions.pdf - Page 1 of 9 Exam Report 6.6.9 Practice Questions Date 1:20:34 pm Time Spent 2:29 Candidate Hong John Login jhong19

6-6-9 Practice Questions.pdf - Page 1 of 9 Exam Report...

This preview shows page 1 out of 9 pages.

You've reached the end of your free preview.

Want to read all 9 pages?

Unformatted text preview: Page 1 of 9 Exam Report: 6.6.9 Practice Questions Date: 6/11/2019 1:20:34 pm Time Spent: 2:29 Candidate: Hong, John Login: jhong19 Overall Performance Your Score: 100% Passing Score: 80% View results by: Objective Analysis Individual Responses Individual Responses Question 1: Correct This question includes an image to help you answer the question. Close Use the Exhibit to answer the following question. You are the network administrator for a city library. Throughout the library are several groups of computers that provide public access to the Internet. Supervision of these computers has been difficult. You've had problems with patrons bringing personal laptops into the library and disconnecting the network cables from the library computers to connect their laptops to the Internet. The library computers are in groups of four. Each group of four computers is connected to a hub that is connected to the library network through an access port on a Catalyst 2960 switch. You want to restrict access to the network so only the library computers are permitted connectivity to the Internet. What can you do? Create a VLAN for each group of four computers. Remove the hub and place each library computer on its own access port. Configure port security on the switch. Create static MAC addresses for each computer and associate it with a VLAN. Explanation Page 2 of 9 Configuring port security on the Catalyst 2950 switch can restrict access so that only specific MAC addresses can connect to the configured switch port. This would prevent the laptop computers from being permitted connectivity. Placing each library computer on its own access port would have no affect. VLANs are used to group broadcast traffic and do not restrict connectivity of devices as needed in this scenario. References LabSim for Routing and Switching Pro, Section 6.6. [CCNA_AllQuestions.exm SWITCH_SEC_01] Question 2: Correct You've just enabled port security on an interface of a Catalyst 2950 switch. You want to generate an SNMP trap whenever a violation occurs. Which feature should you enable? secure restrict protect shutdown Explanation The feature restrict configures two actions whenever a violation occurs: 1. The interface will not forward any frames from source addresses not assigned to the port. 2. The switch generates a console message and sends an SNMP trap to a designated network management station whenever a violation occurs. When the feature protect is enabled, the interface will not forward any frames from source addresses not assigned to the port. The shutdown feature shuts down the port when a violation occurs requiring it to be re-enabled by an administrator. There is no secure feature in the switchport port-security violation command. References LabSim for Routing and Switching Pro, Section 6.6. [CCNA_AllQuestions.exm SWITCH_SEC_03] Question 3: Correct What are the default switchport configuration parameters on a 2960 switch? (Select two.) Violation action is set to protect. Violation action is set to shutdown. A maximum of 1 MAC address per port is allowed. Violation action is set to restrict. A maximum of 3 MAC addresses per port are allowed. A maximum of 5 MAC addresses per port are allowed. Explanation On a new 2960 switch, the default port security settings allow a single MAC address per port, with shutdown being the default port violation action. References Page 3 of 9 LabSim for Routing and Switching Pro, Section 6.6. [CCNA_AllQuestions.exm SWITCH_SEC_04] Question 4: Correct You are configuring a new 2960 switch. You issue the following commands: switch(config)#interface fast 0/15 switch(config-if)#switchport mode access switch(config-if)#switchport port-security switch(config-if)#switchport port-security maximum 1 switch(config-if)#switchport port-security mac-address sticky switch(config-if)#switchport port-security violation protect You connect a hub with two workstations to port Fa0/15. You power on first Device1 and then Device2. What will be the result? Frames from Device2 will be allowed; frames from Device1 will be dropped. Port Fa0/15 will be disabled and no frames will be accepted or forwarded. Frames from Device1 will be allowed; frames from Device2 will be dropped. Frames from both Device1 and Device2 will be allowed. Explanation Based on this configuration, frames from Device1 will be allowed while frames from Device2 will be dropped. The switch allows a single MAC address to connect to each switch port. The switch is configured to learn the MAC address of the first device that connects, and grants access only to that device. When a second device is attached to the port, the protect parameter drops packets from unauthorized devices. To allow both Device1 and Device2 to connect, set the maximum to 2. To disable a port when a violation occurs, configure shutdown as the violation method. References LabSim for Routing and Switching Pro, Section 6.6. [CCNA_AllQuestions.exm SWITCH_SEC_05] Question 5: Correct You have a Catalyst 2960 switch on a small local area network with one server and five workstations. The file server is named SrvFS and is connected to port Fa0/17 on the switch. You want to make sure that only this server can connect to port Fa0/17, but that it can send and receive frames from the five workstations on the network. What should you do? Apply an access list to Fa0/17 that allows incoming traffic only from SrvFS. Configure switchport security on Fa0/17 to allow the MAC address of the server and the five workstations. Configure switchport security on Fa0/17 to allow only the MAC address of SrvFS. Apply an access list to Fa0/17 that allows outgoing traffic only to SrvFS. Explanation To control which devices can connect to a switch port, configure switch port security. In this scenario, set the maximum devices to 1, then configure Fa0/17 with the MAC address of the server. Only the server will be able to connect to this switch port. Configuring the MAC address of all devices on the Fa0/17 port would enable any of the five workstations to connect to that port. An access list is a security mechanism applied to Page 4 of 9 routers. Access lists filter on IP address or port or protocol; they do filter based on MAC address and are not used on Layer 2 switches. References LabSim for Routing and Switching Pro, Section 6.6. [CCNA_AllQuestions.exm SWITCH_SEC_07] Question 6: Correct You have a Catalyst 2960 switch on a small local area network with one server and five workstations. The file server is named SrvFS and is connected to port Fa0/17 on the switch. You want to make sure that only this server can connect to port Fa0/17. If any unauthorized devices attempt to attach, you want to disable the port until you manually re-enable it. On Fa0/17, you use the switchport port-security mac-address command to identify the MAC address of the server. What else should you include in your configuration? (Select two.) switchport port-security maximum 5 switchport port-security violation protect switchport port-security maximum 6 switchport port-security violation restrict switchport port-security violation shutdown switchport port-security maximum 1 Explanation To allow only a single device to connect, use the switchport port-security maximum 1 command. To disable the port when a violation occurs, use shutdown for the violation mode. Setting the maximum higher than 1 would allow multiple devices to connect to the switch port. Using protect or restrict as the violation mode drops frames from unauthorized devices, but continues to allow the authorized device to use the port. References LabSim for Routing and Switching Pro, Section 6.6. [CCNA_AllQuestions.exm SWITCH_SEC_08] Question 7: Correct You have a switch that has port security enabled on the Fa0/3 interface. The output of the show port-security interface fa0/3 command is shown below: Port Security : Enabled Port Status : Secure-up Violation Mode : Protect Aging Time : 0 mins Aging Type : Absolute SecureStatic Address Aging : Disabled Maximum MAC Addresses : 2 Total MAC Addresses : 1 Configured MAC Addresses : 0 Sticky MAC Addresses : 1 Last Source Address:Vlan : 0800.46f5.491c:1 Security Violation Count : 0 What is true of this configuration? (Select two.) The port allows up to two connected devices. Two devices have connected to the port. Page 5 of 9 The port has learned one MAC address and saved that address in the running-config file. One MAC address entry has been statically configured for the port. If the port detects MAC addresses over the allowed limit, the port will become disabled. Explanation In this example: • The maximum number of MAC addresses for this port is 2 (indicated by the Maximum MAC Addresses line). • The port has learned one MAC address and saved that address in the running-config file (indicated by the number on the Sticky MAC Addresses line). • The port has a record of 1 MAC address (indicated by the Total MAC Addresses line). • When the maximum MAC addresses is reached, the port will drop frames from additional hosts. The Violation Mode is set to protect. A mode of shutdown would disable the port when other MAC addresses are detected. References LabSim for Routing and Switching Pro, Section 6.6. [CCNA_AllQuestions.exm SWITCH_SEC_09] Question 8: Correct You have a switch that has port security enabled on the Fa0/3 interface. The output of the show port-security interface fa0/3 command is shown below: Port Security : Enabled Port Status : Secure-shutdown Violation Mode : Shutdown Aging Time : 0 mins Aging Type : Absolute SecureStatic Address Aging : Disabled Maximum MAC Addresses : 2 Total MAC Addresses : 2 Configured MAC Addresses : 1 Sticky MAC Addresses : 0 Last Source Address:Vlan : 0800.46f5.491c:1 Security Violation Count : 1 What is true of this configuration? The port is up. One additional MAC address can connect to the port and be allowed. The port is up and can be used by any device. The port is up and can be used by the two devices whose MAC addresses have been identified. The port has been disabled because too many MAC addresses have been detected. Explanation This port has been disabled because of a security violation. The Port Status entry indicates Secure-shutdown, with the Security Violation Count indicating that too many MAC addresses have been detected on the port. References LabSim for Routing and Switching Pro, Section 6.6. [CCNA_AllQuestions.exm SWITCH_SEC_10] Question 9: Correct You have configured port security for the Fa0/3 interface. To test the security settings, you connect two workstations to the same port. Both are allowed to connect. You check the Page 6 of 9 running-config file and find the following for the interface: interface FastEthernet0/3 switchport mode access switchport port-security mac-address sticky You want to allow only a single device to connect to this port. What should you do? For the interface, use the switchport port-security mac-address command with the MAC address of the allowed host and including the sticky keyword. For the interface, use the switchport port-security mac-address command and identify the allowed MAC address. For the interface, use the switchport port-security violation shutdowncommand. For the interface, use the switchport port-security maximum 1 command. For the interface, use the switchport port-security command. Explanation Before port security settings are enforced, you must include the switchport port-security command in the configuration. This enables port security on the interface. Other port security settings can be configured with port security disabled, but the settings won't be enforced until it is enabled. By default, a maximum of 1 device can connect to each port and the violation mode is set to shutdown. Setting either value to the default does not result in an entry in the configuration file. Identifying MAC addresses, with our without the sticky keyword, would not restrict access unless port security is enabled. References LabSim for Routing and Switching Pro, Section 6.6. [CCNA_AllQuestions.exm SWITCH_SEC_11] Question 10: Correct Which of the following are true of port security sticky addresses? (Select two.) They can be learned automatically or manually configured. They are placed in the startup-config file. They are only learned automatically. They are placed in the running-config file, and can be saved to the startup-config file. They are held in RAM, but not in a configuration file. Explanation Sticky addresses can be learned automatically or manually configured. When sticky addresses are learned, they are automatically placed in the running-config file. To make these addresses immediately available when the system restarts, save the running-config file. The switch learns MAC addresses automatically and can use these dynamic addresses for port security. Dynamic addresses that are not sticky are held in RAM, but not added to the configuration file. Static addresses are manually configured and appear in the running-config file. References LabSim for Routing and Switching Pro, Section 6.6. [CCNA_AllQuestions.exm SWITCH_SEC_12] Page 7 of 9 Question 11: Correct You have just enabled port security on a switch port. What are the default settings? (Select three.) Maximum of 1 device Maximum of 2 devices Restrict violation mode Sticky learn MAC addresses Protect violation mode Statically-configured MAC addresses Shutdown violation mode Dynamically-learned allowed addresses Explanation Default port security settings are: • A maximum of 1 device per port • Violation mode set to shutdown • Addresses are dynamically learned, but not sticky References LabSim for Routing and Switching Pro, Section 6.6. [CCNA_AllQuestions.exm SWITCH_SEC_13] Question 12: Correct This question includes an image to help you answer the question. Close You have two IP phone daisy chains as shown in the exhibit. Which of the following commands correctly configures port security on both FastEthernet 0/5 and 0/6? (Select two.) Switch(config-if)#switchport port-security Switch(config-if)#switchport port-security maximum 2 Switch(config-if)#switchport port-security mac-address sticky Switch(config-if)#switchport port-security maximum 3 Page 8 of 9 Explanation When you enable port security on an interface that is also configured with a voice VLAN, you must set the maximum allowed secure addresses on the port to two plus the maximum number of secure addresses allowed on the access VLAN. The recommended maximum allowed value is 3 when a voice VLAN is configured on the interface. • When the port is connected to a Cisco IP Phone, the phone requires up to two MAC addresses. The phone address is learned on the voice VLAN and might also be learned on the access VLAN. • Connecting a PC to the phone requires additional MAC addresses. You can enter port security commands for an interface without port security being enabled. However, port security will not be enforced (enabled) if the switchport port-security entry is missing. You cannot configure static secure or sticky secure MAC addresses on the voice VLAN. If any type of port security is enabled on the access VLAN, dynamic port security is automatically enabled on the voice VLAN. References LabSim for Routing and Switching Pro, Section 6.6. [CCNA_AllQuestions.exm SWITCH_SEC_14] Question 13: Correct In which of the following situations would you use port security? You wanted to prevent sniffing attacks on the network. You wanted to prevent MAC address spoofing. You wanted to control the packets sent and received by a router. You wanted to restrict the devices that could connect through a switch port. Explanation Use port security on a switch to restrict the devices that can connect to a switch. Port security uses the MAC address to identify allowed and denied devices. When an incoming frame is received, the switch examines the source MAC address to decide whether to forward or drop the frame. Port security cannot prevent sniffing or MAC address spoofing attacks. Use an access list on a router to control sent and received packets. References LabSim for Routing and Switching Pro, Section 6.6. [CCNA_AllQuestions.exm SWITCH_SEC_15] Question 14: Correct This question includes a lab to help you answer the question. View Lab You are troubleshooting the connections on a switch. Which would you do to correct the status shown for Fa0/12? Note: You will not be able to use the show run or show start commands in this lab. Use the no shutdown command. Replace the cable. Disable port security. Nothing. The interface is working correctly. Page 9 of 9 Explanation To discover the problem with the FastEthernet0/12 interface, use the show interface fa0/12 command. The status of FastEthernet0/12 is administratively down, line protocol is down (disabled). This means the port is administratively disabled with the shutdown command. To change the status of this port, issue the no shutdown command. Replace the cable if the port status is down, line protocol is down (notconnect). Disable port security if the port status is down, line protocol is down (err-disabled). If the port status is up, line protocol is up (connected), the port is working correctly. References LabSim for Routing and Switching Pro, Section 4.7. [SimQuestions.exm SWITCHTEST1] Question 15: Correct This question includes a lab to help you answer the question. View Lab You are troubleshooting the connections on a switch. The device connected to the switch on fa0/8 is powered on. Which would you do to correct the status of Fa0/8? Note: You will not be able to use the show run or show start commands in this lab. Use the no shutdown command. Replace the cable. Disable port security. Nothing. The interface is working correctly. Explanation To discover the problem with the FastEthernet0/8 interface, use the show interface fa0/8 command. The status of FastEthernet0/8 is down, line protocol is down (notconnect). This status indicates there is a hardware or network connection problem (Physical layer), such as: • No cable or bad cable • The device on the other end of the cable is powered off or the other interface is administratively shutdown (with the shutdown command) The third line in the show interface fa0/8 command indicates the port is connected to workstation #5. You now know this device is powered on and is not a Cisco device, so the cable may be bad. Issue the no shutdown command if the port status is administratively down, line protocol is down (disabled). Disable port security if the port status is down, line protocol is down (err-disabled). If the port status is up, line protocol is up (connected), the port is working correctly. References LabSim for Routing and Switching Pro, Section 4.7. [SimQuestions.exm SWITCHTEST2] ...
View Full Document

  • Fall '16
  • IP address, MAC address, access port

  • Left Quote Icon

    Student Picture

  • Left Quote Icon

    Student Picture

  • Left Quote Icon

    Student Picture